---
layout: commands
page_title: 'Commands: Login'
description: >
  The `login` command will exchange the provided third party credentials with
  the requested auth method for a newly minted Consul ACL token.
---

# Consul Login

Command: `consul login`

Corresponding HTTP API Endpoint: [\[POST\] /v1/acl/login](/consul/api-docs/acl#login-to-auth-method)

The `login` command will exchange the provided third party credentials with the
requested auth method for a newly minted Consul ACL token. The companion
command `consul logout` should be used to destroy any tokens created this way
to avoid a resource leak.

The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.

| ACL Required |
| ------------ |
| `none`       |

## Usage

Usage: `consul login [options]`

#### Command Options

- `-bearer-token-file=<string>` - Path to a file containing a secret bearer
  token to use with this auth method.

- `-meta=<value>` - Metadata to set on the token, formatted as `key=value`. This
  flag may be specified multiple times to set multiple meta fields.

- `-method=<string>` - Name of the auth method to login to.

- `-token-sink-file=<string>` - The most recent token's SecretID is kept up to
  date in this file.

- `-type=<string>` - Type of the auth method to login to. This field is
  optional and defaults to no type. Required for `type=oidc` auth method login.
  Added in Consul 1.8.0.

#### Enterprise Options

- `-oidc-callback-listen-addr=<string>` - The address to bind a webserver on to
  handle the browser callback from the OIDC workflow. Added in Consul 1.8.0.

@include 'http_api_namespace_options.mdx'

#### API Options

@include 'http_api_options_client.mdx'

### Examples

Login to an auth method.

```shell-session
$ consul login -method 'minikube' \
    -bearer-token-file '/run/secrets/kubernetes.io/serviceaccount/token' \
    -token-sink-file 'consul.token'

$ cat consul.token
36103ae4-6731-e719-f53a-d35188cfa41d
```
